Drupal Release: 10.4.0-rc1

TL;DR

Drupal 10.4.0-rc1: Security Fixes, Performance Improvements, and Bug Fixes

This release candidate for Drupal 10.4.0 includes several critical security fixes (SA-CORE-2024-003 through 008), performance improvements for Twig template rendering, and various bug fixes. Notable improvements include fixes for password reset functionality, PHP 8.4 compatibility updates, and enhanced caching behavior. This update is particularly important for sites running Drupal 10.3 that experienced issues with the YAML parser deprecation.

Highlight of the Release

• Multiple security advisories addressed (SA-CORE-2024-003 through 008)
• Fixed regression with YAML parser class setting from Drupal 10.3
• Performance improvements for Twig template rendering
• Enhanced password reset functionality and messaging
• PHP 8.4 compatibility improvements

Migration Guide

No specific migration steps are required for this release candidate. However, site administrators should note the following:

• If you experienced issues with the YAML parser after upgrading to Drupal 10.3, this release fixes that regression.
• The fix for password and confirm password fields being mandatory when setting up passwords using one-time links may require testing of your custom password reset workflows.
• If you're using custom code that relies on exception handling for 400/BadRequestException, test thoroughly as the behavior has been modified.
• Sites using the "view own unpublished content" permission should test their caching behavior after applying this update.

For sites preparing to upgrade to PHP 8.4 in the future, this release includes several compatibility improvements that will make that transition smoother.

Upgrade Recommendations

Priority: High

This release candidate includes multiple security fixes and addresses a critical regression with the YAML parser from Drupal 10.3. All sites running Drupal 10.x should plan to upgrade to this version once it reaches full release status.

Sites currently experiencing issues with the YAML parser after upgrading to Drupal 10.3 should prioritize this update to resolve those problems.

Recommended steps:

1. Create a complete backup of your site before upgrading
2. Update your development/staging environment first
3. Run composer update drupal/core --with-all-dependencies to update to the RC
4. Run database updates via Drush or the web interface
5. Clear caches thoroughly
6. Test your site functionality, especially password reset flows and any custom exception handling
7. Plan to upgrade production environments once testing is complete and the final release is available

Bug Fixes

• YAML Parser Regression: Fixed a critical regression where the deprecation of yaml_parser_class setting in 10.3 was breaking sites running versions prior to 11.0 (Issue #3485296).
• Password Reset Improvements:
  • Made password and confirm password fields mandatory when setting up passwords using one-time links (Issue #2855328).
  • Fixed incorrect messaging after password reset operations (Issue #2969406).
• Layout Builder:
  • Fixed CSS issue where field:not(:last-child) was not working properly with Layout Builder in the Olivero theme (Issue #3471490).
  • Fixed the PlaceBlock config action that was breaking when placing a block in an empty region (Issue #3488664).
• PHP 8.4 Compatibility:
  • Fixed usage of str_getcsv() and fgetcsv() for PHP 8.4 (Issue #3477324).
  • Stopped passing E_USER_ERROR to trigger_error() on PHP 8.4 (Issue #3465827).
• Exception Handling: Fixed DefaultExceptionHtmlSubscriber to not clone the request for 400/BadRequestException (Issue #3486972).
• Caching Issues:
  • Fixed access cacheability when "view own unpublished content" permission is in use (Issue #3278759).
  • Added potential exception handling when calling Request::create() in PathBasedBreadcrumbBuilder (Issue #3490710).
• Testing Framework:
  • Fixed TypeError in ContentEntityCloneTest (Issue #3488781).
  • Fixed bogus mocking in UpdateRegistryTest (Issue #3490507).
  • Ensured tests don't run twice (Issue #3487816).
• Path Validation: Fixed issue with symfony/http-foundation commit breaking PathValidator (Issue #3489329).

New Features

• Accessibility Enhancement: Implemented focus-within in hidden.module.css for improved keyboard navigation and screen reader support.
• Recipe Configurator Performance: Added static caching for recipe objects to avoid performance problems in RecipeConfigurator::getIncludedRecipe().
• Security Coverage Documentation: Hardcoded security coverage EOL dates for Drupal 10.last-1 and 10.last for clearer upgrade planning.

Security Updates

This release includes several critical security fixes:

• SA-CORE-2024-003: Security advisory addressing vulnerabilities (by jrb, larowlan, catch, mingsong, poker10, longwave, benjifisher).
• SA-CORE-2024-004: Security advisory addressing vulnerabilities (by zengenuity, cilefen, kristiaanvandeneynde, mcdruid, larowlan).
• SA-CORE-2024-006: Security advisory addressing vulnerabilities (by mcdruid, larowlan).
• SA-CORE-2024-007: Security advisory addressing vulnerabilities (by mcdruid, larowlan).
• SA-CORE-2024-008: Security advisory addressing vulnerabilities (by mcdruid, fabianx, poker10, larowlan, longwave, alexpott).

Note: Detailed information about these security advisories will be available in the official Drupal Security Advisories.

Performance Improvements

• Twig Template Rendering: Fixed performance degradation that occurred after updating to Twig 3.14.2 (Issue #3487031).
• Recipe Configurator: Implemented static caching for recipe objects in RecipeConfigurator::getIncludedRecipe() to avoid performance problems (Issue #3488179).
• Testing Efficiency: Improved test execution by ensuring tests don't run twice, reducing CI time and resource usage (Issue #3487816).
• Dynamic Page Cache: Improved Dynamic Page Cache header assertions in JSON:API tests for better caching behavior (Issue #3473374).

Impact Summary

Drupal 10.4.0-rc1 delivers significant security improvements through multiple security advisories (SA-CORE-2024-003 through 008), making this an important update for all Drupal 10.x sites. The release also fixes a critical regression with the YAML parser that affected sites upgrading from Drupal 10.3.

Performance improvements are notable, particularly the fix for Twig template rendering performance degradation and the implementation of static caching for recipe objects. These changes should result in better overall site performance.

User experience enhancements include improved password reset functionality with clearer messaging and mandatory password fields when using one-time links. Accessibility is improved with the implementation of focus-within CSS.

For developers, this release provides important PHP 8.4 compatibility updates, ensuring smoother transitions to newer PHP versions in the future. The fixes for caching behavior, particularly with "view own unpublished content" permissions, address subtle but important issues that could affect content management workflows.

Overall, this release candidate represents an important step toward Drupal 10.4.0, with a strong focus on security, performance, and bug fixes that improve the stability and reliability of the platform.